sybex ccsp securing cisco ios networks study guide

Chapter 2, “Introduction to AAA Security,” is an introduction to the Cisco NAS network access server and AAA security.. Introduction xxiiiCCSP: Securing Cisco IOS Networks Study Guide i

menu, please exit this application and install Adobe Acrobat Reader with Search from this CD click AcroReader51.exe in the Adobe folder).

(double-Navigation

Find and Search

Navigate through the book by clicking on the headings that appear in the left panel;

the corresponding page from the book displays in the right panel

To find and search, click on the toolbar or choose Edit > Find to open the "Find" window Enter the word

or phrase in the "Find What" field and click "Find." The result will be displayed as highlighted in the document Click "Find Again" to search for the next consecutive entry The Find command also provides search parameters such as

"Match Whole Word Only" and "Match Case." For more information on these features, please refer to the Acrobat Help file in the application menu.

San Francisco • London

Securing Cisco IOS

Networks Study Guide

Todd Lammle Carl Timm, CCIE #71494231FM.fm Page iii Tuesday, May 6, 2003 8:59 AM

Associate Publisher: Neil Edde

Acquisitions Editor: Maureen Adams

Developmental Editor: Heather O’Connor

Production Editor: Mae Lum

Technical Editors: Craig Vazquez, Dan Aguilera, Jason T Rohm

Copyeditor: Sarah H Lemaire

Compositor: Judy Fung

Graphic Illustrators: Tony Jonick, Scott Benoit

CD Coordinator: Dan Mummert

CD Technician: Kevin Ly

Proofreaders: Laurie O’Connell, Nancy Riddiough, Monique van den Berg

Indexer: Nancy Guenther

Book Designers: Bill Gibson, Judy Fung

Cover Designer: Archer Design

Cover Photographer: Tony Stone

Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501 World rights reserved No part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including but not limited to photocopy, photograph, magnetic, or other record, without the prior agreement and written per- mission of the publisher.

Library of Congress Card Number: 2003103564

TRADEMARKS: SYBEX has attempted throughout this book to distinguish proprietary trademarks from descriptive terms by following the capitalization style used by the manufacturer.

The author and publisher have made their best efforts to prepare this book, and the content is based upon final release software whenever possible Portions of the manuscript may be based upon pre-release versions supplied

by software manufacturer(s) The author and the publisher make no representation or warranties of any kind with regard to the completeness or accuracy of the contents herein and accept no liability of any kind including but not limited to performance, merchantability, fitness for any particular purpose, or any losses or damages of any kind caused or alleged to be caused directly or indirectly from this book.

Manufactured in the United States of America

10 9 8 7 6 5 4 3 2 1

To Our Valued Readers:

Thank you for looking to Sybex for your Cisco Certified Security Professional exam prep needs Developed by Cisco to validate expertise in designing and implementing secure Cisco internetworking solutions, the CCSP certification stands to be one of the most highly sought after IT certifications available

We at Sybex are proud of the reputation we’ve established for providing certification dates with the practical knowledge and skills needed to succeed in the highly competitive IT marketplace It has always been Sybex’s mission to teach individuals how to utilize technol-ogies in the real world, not to simply feed them answers to test questions Just as Cisco is com-mitted to establishing measurable standards for certifying those professionals who work in the cutting-edge field of internetworking, Sybex is committed to providing those professionals with the means of acquiring the skills and knowledge they need to meet those standards.The authors, editors, and technical reviewers have worked hard to ensure that this Study Guide is comprehensive, in-depth, and pedagogically sound We’re confident that this book, along with the collection of cutting-edge software study tools included on the CD, will meet and exceed the demanding standards of the certification marketplace and help you, the CCSP certification exam candidate, succeed in your endeavors

candi-Good luck in pursuit of your CCSP certification!

Neil EddeAssociate Publisher—CertificationSybex, Inc

4231FM.fm Page v Tuesday, May 6, 2003 8:59 AM

Software License Agreement: Terms and Conditions

The media and/or any online materials accompanying

this book that are available now or in the future contain

programs and/or text files (the “Software”) to be used in

connection with the book SYBEX hereby grants to you

a license to use the Software, subject to the terms that

follow Your purchase, acceptance, or use of the

Soft-ware will constitute your acceptance of such terms.

The Software compilation is the property of SYBEX

unless otherwise indicated and is protected by copyright

to SYBEX or other copyright owner(s) as indicated in the

media files (the “Owner(s)”) You are hereby granted a

single-user license to use the Software for your personal,

noncommercial use only You may not reproduce, sell,

distribute, publish, circulate, or commercially exploit the

Software, or any portion thereof, without the written

consent of SYBEX and the specific copyright owner(s) of

any component software included on this media.

In the event that the Software or components include

spe-cific license requirements or end-user agreements,

state-ments of condition, disclaimers, limitations or warranties

(“End-User License”), those End-User Licenses supersede

the terms and conditions herein as to that particular

Soft-ware component Your purchase, acceptance, or use of

the Software will constitute your acceptance of such

End-User Licenses.

By purchase, use or acceptance of the Software, you

fur-ther agree to comply with all export laws and

regula-tions of the United States as such laws and regularegula-tions

may exist from time to time.

Software Support

Components of the supplemental Software and any offers

associated with them may be supported by the specific

Owner(s) of that material, but they are not supported by

SYBEX Information regarding any available support may

be obtained from the Owner(s) using the information

pro-vided in the appropriate read.me files or listed elsewhere

on the media.

Should the manufacturer(s) or other Owner(s) cease

to offer support or decline to honor any offer, SYBEX

bears no responsibility This notice concerning support

for the Software is provided for your information only

SYBEX is not the agent or principal of the Owner(s),

and SYBEX is in no way responsible for providing any

support for the Software, nor is it liable or responsible for

any support provided, or not provided, by the Owner(s).

Warranty

SYBEX warrants the enclosed media to be free of

phys-ical defects for a period of ninety (90) days after

pur-chase The Software is not available from SYBEX in

any other form or media than that enclosed herein or

a replacement of identical format at no charge by ing the defective media, postage prepaid, with proof of purchase to:

send-SYBEX Inc.

Product Support Department

1151 Marina Village Parkway Alameda, CA 94501 Web: http://www.sybex.com After the 90-day period, you can obtain replacement media of identical format by sending us the defective disk, proof of purchase, and a check or money order for

$10, payable to SYBEX.

Disclaimer

SYBEX makes no warranty or representation, either expressed or implied, with respect to the Software or its contents, quality, performance, merchantability, or fit- ness for a particular purpose In no event will SYBEX, its distributors, or dealers be liable to you or any other party for direct, indirect, special, incidental, consequen- tial, or other damages arising out of the use of or inabil- ity to use the Software or its contents even if advised of the possibility of such damage In the event that the Soft- ware includes an online update feature, SYBEX further disclaims any obligation to provide this feature for any specific duration other than the initial posting.

The exclusion of implied warranties is not permitted by some states Therefore, the above exclusion may not apply to you This warranty provides you with specific legal rights; there may be other rights that you may have that vary from state to state The pricing of the book with the Software by SYBEX reflects the allocation of risk and limitations on liability contained in this agree- ment of Terms and Conditions.

Shareware Distribution

This Software may contain various programs that are distributed as shareware Copyright laws apply to both shareware and ordinary commercial software, and the copyright Owner(s) retains all rights If you try a share- ware program and continue using it, you are expected to register it Individual programs differ on details of trial periods, registration, and payment Please observe the requirements stated in appropriate files.

Copy Protection

The Software in whole or in part may or may not be copy-protected or encrypted However, in all cases, reselling or redistributing these files without authori- zation is expressly forbidden except as specifically pro-

I would like to thank Neil Edde and Maureen Adams for helping me get this project off the ground and making this a really great book—one I happen to be very excited about! Thank you, Neil and Maureen!

And kudos to you too, Heather! Ms O’Connor was instrumental in helping me develop this book’s content She and Mae Lum, the production editor, shepherded the whole project through production—no small task! I’d also like to thank Monica Lammle for helping me make this my best book to date and Carl Timm and Donald Porter, whose technical expertise was instrumental

in the writing of this book—I couldn’t have done it without all of you!

My thanks also to the Sybex editorial and production team: copyeditor Sarah Lemaire; compositor Judy Fung, proofreaders Laurie O’Connell, Nancy Riddiough, and Monique van den Berg; and indexer Nancy Guenther

4231FM.fm Page vii Tuesday, May 6, 2003 8:59 AM

Welcome to the exciting world of Cisco security certification! You’ve picked up this book because you want something better/more—better skills, more opportunities, better jobs, more job security, better quality of life, more mintage in your pocket—things like that That’s no pie-in-the-sky fantasy for you, my friend—you’re smart! How do I know that? Because you’ve made a wise decision in picking up this book, and you wouldn’t have done that unless you were smart And you’re right—Cisco security certification can really help you do everything from getting your first networking job to realizing your dreams of more money, prestige, job security, and satisfaction if you’re already in the industry Basically, as long as you don’t have some weird, unfortunate workplace habit such as, oh, let’s say, shower-fasting, you’re all-the-rage, serious promotion material if you’re packing Cisco certifications And only that much more so if you make the move into security and get certified there!

Cisco security certifications can give you another important edge—jumping through the hoops and learning what’s required to get those certifications will thoroughly improve your understanding of everything related to security internetworking, which is relevant to much more than just Cisco products You’ll be totally dialed in—equipped with a solid knowledge

of network security and how different topologies work together to form a secure network This definitely can’t hurt your cause! It’s beneficial to every networking job—it’s the reason Cisco security certification is in such high demand, even at companies with only a few Cisco devices!

These new Cisco security certifications reach beyond the popular certifications such as the CCNA/CCDA and CCNP/CCDP to provide you with an indispensable factor in understanding today’s secure network—insight into the Cisco secure world of internetworking

So really, by deciding you want to become Cisco security certified, you’re saying that you want to be the best—the best at routing and the best at network security This book will put you way ahead on the path to that goal

You may be thinking, “Why is it that networks are so vulnerable to security breaches anyway? Why can’t the operating systems provide protection?” The answer is pretty straightforward: Users want lots of features and Microsoft gives the users what they want because features sell Capabil-ities such as sharing files and printers, and logging into the corporate infrastructure from the Inter-net are not just desired—they’re expected The new corporate battle cry is, “Hey, give us complete corporate access from the Internet and make it super fast and easy—but make sure it’s really secure!” Oh yeah, we’ll get right on that

Am I saying that Microsoft is the problem? No—they’re only part of it There are just too many other security issues for any one company to be at fault But it is true that providing any and all of the features that any user could possibly want on a network at the click of a mouse certainly creates some major security issues And it’s also true that we certainly didn’t have the types of hackers we have today until Windows accidentally opened the door for them But all

of that is really just the beginning To become truly capable of defending yourself, you must

xviii Introduction

So, the goal here is really twofold: First, I’m going to give you the information you need to understand all those vulnerabilities, and second, I’m going to show you how to create a single, network-wide security policy But before I go there, there are two key questions behind most security issues on the Internet:

How do you protect confidential information but still allow access for the corporate users that need to get to that information?

How do you protect your network and its resources from unknown or unwanted users from outside your network?

If you’re going to protect something, you have to know where it is, right? Where important/confidential information is stored is key for any network administrator concerned with security You’ll find the goods in two places: physical storage media (such as hard drives or RAM) and in transit across a network in the form of packets This book’s focus is mainly on the network secur-ity issues relative to the transit of confidential information across a network But it’s important to remember that both physical media and packets need to be protected from intruders within your network and outside of it TCP/IP is used in all of the examples in this book because it’s the most popular protocol suite these days and also because it has some inherent and truly ugly security weaknesses

But you won’t stop there You’ll need to look beyond TCP/IP and understand that both ating systems and network equipment come with their own vulnerabilities to address as well If you don’t have passwords and authentication properly set on your network equipment, you’re in obvious trouble If you don’t understand your routing protocols and especially, how they adver-tise throughout your network, you might as well leave the building unlocked at night Further-more, how much do you know about your firewall? Do you have one? If so, where are its weak spots? Does it have any gaping holes? If you haven’t covered all these bases, your equipment will

oper-be your network’s Achilles heel

What is Good Security?

So now you have a good idea of what you’re up against in the battle to provide security for your network To stay competitive in this game, you need to have a sound security policy that is both monitored and used regularly Good intentions won’t stop the bad guys from getting you It’s planning and foresight that will save your neck All possible problems need to be considered, written down, discussed, and addressed with a solid action plan

And you need to communicate your plan clearly and concisely to the powers that be by viding management with your solid policy so that they can make informed decisions With knowl-edge and careful planning, you can balance security requirements with user-friendly access and approach And you can accomplish all of it at an acceptable level of operational cost But this, as with many truly valuable things, is not going to be easy to attain

pro-First-class security solutions should allow network managers the ability to offer improved services to their corporate clients—both internally and externally—and save the company a nice chunk of change at the same time If you can do this, odds are good that you’ll end up with a nice chunk of change too Everybody (but not the bad guys) gets to win Sweet!

4231Intro.fm Page xviii Tuesday, May 6, 2003 9:18 AM

Introduction xix

Basically, if you can understand security well, and if you figure out how to effectively provide network services without spending the entire IT budget, you’ll enjoy a long, lustrous, and lucra-tive career in the IT world You must be able to

Enable new networked applications and services

Reduce the costs of implementation and operations of the network

Make the Internet a global, low-cost access medium

It’s also good to remember that people who make really difficult, complicated things simpler and more manageable tend to be honored, respected, and generally very popular—read, in demand and employed One way to simplify the complex is to break a large, multifaceted thing down into nice, manageable chunks To do this, you need to classify each network into each one

of the three types of network security classifications: trusted networks, untrusted networks, and unknown networks You should know a little bit about these before you begin this book

Trusted networks Trusted networks are the networks you want to protect, and they late the zone known as the security perimeter The security perimeter is connected to a firewall server through network adapter cards Virtual private networks (VPNs) are also considered trusted networks, only they send data across untrusted networks So they’re special—they cre-ate special circumstances and require special considerations in establishing a security policy for them The packets transmitted on a VPN are established on a trusted network, so the fire-wall server needs to authenticate the origin of those packets, check for data integrity, and pro-vide for any other security needs of the corporation

popu-Untrusted networks Untrusted networks are those found outside the security perimeters and not controlled by you or your administrators, such as the Internet and the corporate ISP Basi-cally, these are the networks you are trying to protect yourself from while still allowing access

to and from them

Unknown networks Because you can’t categorize something you don’t know, unknown works are described as neither trusted or untrusted This type of mystery network doesn’t tell the firewall if it’s an inside (trusted) network or outside (untrusted) network Hopefully, you won’t have networks such as these bothering you

net-How to Use This Book

If you want a solid foundation for the serious effort of preparing for the Securing Cisco IOS works (SECUR 642-501) exam, then look no further I’ve spent a huge amount of time putting this book together in a way that will thoroughly equip you with everything you need to pass the SECUR exam, as well as teach you how to completely configure security on Cisco routers.This book is loaded with lots of valuable information You’ll really maximize your studying time if you understand how I put this book together

Net-To benefit the most from this book, I recommend you tackle it like this:

xx Introduction

you do happen to get wrong and make note of which chapters the material comes from It will help you plan your study strategy Again, don’t be too bummed out if you don’t know any answers—just think instead of how much you’re about to learn!

2. Study each chapter carefully, making sure that you fully understand the information and the test objectives listed at the beginning of each chapter And really zero in on any chapter or part of a chapter that’s dealing with areas where you missed questions in the assessment test

3. Take the time to complete the written lab at the end of the chapter Do not skip this—it directly relates to the SECUR exam and the relevant stuff you’ve got to glean from the chap-ter you just read So no skimming—make sure you really, really understand the reason for each answer!

4. Answer all of the review questions related to that chapter (The answers appear at the end of the chapter.) While you’re going through the questions, jot down any questions that confuse you and study those sections of the book again Don’t throw away your notes—go over the questions that were difficult for you again before you take the exam Seriously—don’t just skim these questions! Make sure you completely understand the reason for each answer, because the questions were written strategically to help you master the material that you must know before taking the SECUR exam

5. Complete all the hands-on labs in the chapter, referring to the relevant chapter material so that you understand the reason for each step you take If you don’t happen to have a bunch

of Cisco equipment lying around to mess around with, be sure to study the examples extra carefully You can also check out www.routersim.com for a router simulator to help you gain hands-on experience

6. Try your hand at the bonus exams that are included on the CD provided with this book These questions appear only on the CD, and testing yourself will give you a clear overview

of what you can expect to see on the real thing

7. Answer all the flashcard questions on the CD The flashcard program will help you prepare completely for the SECUR exam

The electronic flashcards can be used on your Windows computer, Pocket PC,

or Palm device.

8. Make sure you read the Exam Essentials, Key Terms, and Commands Used in This Chapter lists at the end of the chapters and are intimately familiar with the information in those three sections

I’m not going to lie to you—learning all the material covered in this book isn’t going to be

a day at the beach (Unless, of course, you study at the beach But it’s still going to take you more than a day, so… oh, never mind.) What I’m trying to say is, it’s going to be hard Things that are really worthwhile tend to be like that So you’ll just have to be good boys and girls and apply yourselves regularly Try to set aside the same time period every day to study and select a com-fortable, quiet place to do so Not every night, all comfy and cozy in bed 15 minutes before

4231Intro.fm Page xx Tuesday, May 6, 2003 9:18 AM

Introduction xxi

lights out either—you really don’t want to find yourself reading the same paragraph over and over again, do you? Pick a distraction-free time/place combo where you can be sharp and focused If you work hard, you’ll get it all down, probably faster than you think!

This book covers everything you need to know in order to pass the SECUR exam But even

so, taking the time to study and practice with routers or a router simulator is your real key to success

I promise—if you follow the preceding eight steps, really study and practice the review tions, the bonus exams, the electronic flashcards, and the written and hands-on labs, and prac-tice with routers or a router simulator, it will be diamond-hard to fail the SECUR exam!

ques-What Does This Book Cover?

Here’s the information you need to know for the SECUR exam—the goods that you’ll learn in this book

Chapter 1, “Introduction to Network Security,” introduces you to network security and the basic threats you need to be aware of Chapter 1 also describes the types of weaknesses that might exist on your network All organizations must have a well-documented policy; this chap-ter explains how to develop a solid corporate network security policy and outlines what guide-lines it should include

Chapter 2, “Introduction to AAA Security,” is an introduction to the Cisco NAS (network access server) and AAA security Chapter 2 explains how to configure a Cisco NAS router for authentication, authorization, and accounting

Chapter 3, “Configuring CiscoSecure ACS and TACACS+,” explains how to install, figure, and administer the CiscoSecure ACS on Windows 2000 and Windows NT servers (Chapter 3 also briefly describes the CiscoSecure ACS on Unix servers.) In addition, this chap-ter describes how the NAS can use either TACACS+ or RADIUS to communicate user access requests to the ACS

con-Chapter 4, “Cisco Perimeter Router Problems and Solutions,” introduces you to the Cisco perimeter router and the problems that can occur from hackers to a perimeter router on your network This chapter also describes how you can implement solutions to these problems.Chapter 5, “Context-Based Access Control Configuration,” introduces you to the Cisco IOS Firewall and one of its main components, Context-Based Access Control (CBAC) Chapter 5 explains how CBAC is both different and better than just running static ACLs when it comes

to protecting your network

Chapter 6, “Cisco IOS Firewall Authentication and Intrusion Detection,” discusses the IOS Firewall Authentication Proxy, which allows you to create and apply access control policies to individuals rather than to addresses In addition, this chapter also explains the IOS Firewall Intrusion Detection System (IDS), which allows your IOS router to act as a CiscoSecure IDS sen-sor would, spotting and reacting to potentially inappropriate or malicious packets

Chapter 7, “Understanding Cisco IOS IPSec Support,” introduces the concept of virtual private networks (VPNs) and explains the solutions to meet your company’s off-site network

xxii Introduction

Chapter 8, “Cisco IPSec Pre-Shared Keys and Certificate Authority Support,” explains how to configure IPSec for pre-shared keys—the easiest of all the IPSec implementations—and how to configure site-to-site IPSec for certificate authority support

Chapter 9, “Cisco IOS Remote Access Using Cisco Easy VPN,” covers a very cool ment in VPN technology—Cisco Easy VPN Cisco Easy VPN is a new feature in IOS that allows any capable IOS router to act as a VPN server

develop-Appendix A, “Introduction to the PIX Firewall,” describes the features and basic tion of the Cisco PIX Firewall Although there are no SECUR exam objectives that cover the PIX Firewall, this appendix helps you understand and configure a PIX box

configura-The Glossary is a handy resource for Cisco terms It’s a great reference tool for understanding some of the more obscure terms used in this book

Most chapters include written labs, hands-on labs, and plenty of review questions to make sure you’ve mastered the material Don’t skip these tools—they’re invaluable to your success

What’s on the CD?

We worked really hard to provide some very cool tools to help you with your certification cess All of the following gear should be loaded on your workstation when studying for the test:

pro-The All-New Sybex Test Engine

The test preparation software, developed by the experts at Sybex, prepares you to pass the SECUR exam In this test engine, you will find all the review and assessment questions from the book, plus two bonus exams that appear exclusively on the CD You can take the assessment test, test yourself by chapter, or take the bonus exams Your scores will show how well you did

on each SECUR exam objective

To find more test-simulation software for all Cisco and Microsoft exams, look for the CertSim link at www.routersim.com

Electronic Flashcards for PC and Palm Devices

So to prepare for the exam, you do…what? Let’s summarize First, you read this book Then you proceed to study the review questions at the end of each chapter and work through the bonus exams included on the CD After that, you test yourself with the flashcards included on the CD Having done these things, you’re now unshakably confident because you know that if you can get through these difficult questions and understand the answers, you’re truly a formi-dable force You can take the worst the SECUR exam can throw at you

That’s because the flashcards include about 150 questions designed to hit you harder than Jet Li and make sure you’re the Terminator of test-takers—meaning you are ready for the exam Between the review questions, the practice exams, and the flashcards, you’ll be ready to rock with everything you need and more to pass!

4231Intro.fm Page xxii Tuesday, May 6, 2003 9:18 AM

Introduction xxiii

CCSP: Securing Cisco IOS Networks Study Guide in PDF

Sybex offers the CCSP: Securing Cisco IOS Networks Study Guide in PDF format on the CD

so you can read the book on your PC or laptop if you travel and don’t want to carry a book,

or if you just like to read from the computer screen Acrobat Reader 5.1 with Search is also included on the CD

Cisco Security Certifications

There are quite a few new Cisco security certifications to be had, but the good news is that this book, which covers the SECUR exam, is the prerequisite for all Cisco security certifications! All

of these new Cisco security certifications also require a valid CCNA

Cisco Certified Security Professional (CCSP)

You have to pass five exams to get your CCSP The pivotal one of those is the SECUR exam

So if you have passed the SECUR, you need to take only four more Here they are—the exams you must pass to call that CCSP yours:

Securing Cisco IOS Networks (642-501 SECUR)

Cisco Secure PIX Firewall Advanced (642-521 CSPFA)

Cisco Secure Intrusion Detection System (642-531 CSIDS) (new exam available 3rd ter 2003)

quar-
Cisco Secure Virtual Networks (642-511 CSVPN)

Cisco SAFE Implementation (9E0-131 CSI)

Cisco Firewall Specialist Cisco security certifications focus on the growing need for edgeable network professionals who can implement complete security solutions Cisco Fire-wall Specialists focus on securing network access using Cisco IOS Software and Cisco PIX Firewall technologies

knowl-The two exams you must pass to achieve the Cisco Firewall Specialist certification are Securing Cisco IOS Networks (642-501 SECUR) and Cisco Secure PIX Firewall Advanced (642-521 CSPFA)

Cisco IDS Specialist Cisco IDS Specialists can both operate and monitor Cisco IOS Software and IDS technologies to detect and respond to intrusion activities

The two exams you must pass to achieve the Cisco IDS Specialist certification are Securing Cisco IOS Networks (642-501 SECUR) and Cisco Secure Intrusion Detection System (642-531 CSIDS) (new exam available 3rd quarter 2003)

Cisco VPN Specialist Cisco VPN Specialists can configure VPNs across shared public works using Cisco IOS Software and Cisco VPN 3000 Series Concentrator technologies

Cisco Network Support Certifications

Initially, to secure the coveted CCIE, you took only one test and then you were faced with a nearly impossible, extremely difficult lab—an all-or-nothing approach that made it really tough

to succeed In response, Cisco created a series of new certifications to help you acquire the eted CCIE and aid prospective employers in measuring skill levels With these new certifica-tions, which definitely improved the ability of mere mortals to prepare for that almighty lab, Cisco opened doors that few were allowed through before So, what are these stepping-stone certifications, and how do they help you get your CCIE?

cov-Cisco Certified Network Associate (CCNA)

The CCNA certification was the first in the new line of Cisco certifications, and was the cursor to all current Cisco certifications With the new certification programs, Cisco has created

pre-a type of stepping-stone pre-appropre-ach to CCIE certificpre-ation Now, you cpre-an become pre-a Cisco Certified Network Associate for the meager cost of the Sybex CCNA Study Guide, plus $125 for the test.And you don’t have to stop there—you can choose to continue with your studies and achieve

a higher certification, called the Cisco Certified Network Professional (CCNP) Someone with a CCNP has all the skills and knowledge he or she needs to attempt the CCIE lab However, because

no textbook can take the place of practical experience, we’ll discuss what else you need to be ready for the CCIE lab shortly

How Do You Become a CCNA?

The first step to becoming a CCNA is to pass one little test and—poof!—you’re a CCNA (Don’t you wish it were that easy?) True, it’s just one test, but you still have to possess enough knowl-edge to understand (and read between the lines—trust me) what the test writers are saying

I can’t stress this enough—it’s critical that you have some hands-on experience with Cisco routers If you can get ahold of some Cisco 2500 or 2600 series routers, you’re set But if you can’t, I have worked hard to provide hundreds of configuration examples throughout the Sybex

CCNA Study Guide to help network administrators (or people who want to become network administrators) learn what they need to know to pass the CCNA exam

One way to get the hands-on router experience you’ll need in the real world is to attend one

of the seminars offered by Globalnet Training Solutions, Inc., which is owned and run by me, Todd Lammle The GlobalNet Training seminars will teach you everything you need to become

4231Intro.fm Page xxiv Tuesday, May 6, 2003 9:18 AM

Introduction xxv

a CCNA, CCNP, CCSP, and CCIE! Each student gets hands-on experience by configuring at least two routers and a switch—there’s no sharing of equipment!

For hands-on training with Todd Lammle, please see www.globalnettraining.com

Information about Sybex’s CCNA: Cisco Certified Network Associate Study Guide can be found at www.sybex.com

Cisco Certified Network Professional (CCNP)

So you’re thinking, “Great, what do I do after passing the CCNA exam?” Well, if you want to become a CCIE in Routing and Switching (the most popular certification), understand that there’s more than one path to that much-coveted CCIE certification The first way is to continue studying and become a Cisco Certified Network Professional (CCNP), which means four more tests, in addition to the CCNA certification

The CCNP program will prepare you to understand and comprehensively tackle the working issues of today and beyond—and it is not limited to the Cisco world You will undergo

internet-an immense metamorphosis, vastly increasing your knowledge internet-and skills through the process of obtaining these certifications

While you don’t need to be a CCNP or even a CCNA to take the CCIE lab, it’s extremely helpful if you already have these certifications

How Do You Become a CCNP?

After becoming a CCNA, the four exams you must take to get your CCNP are as follows:

Exam 643-801: Building Scalable Cisco Internetworks (BSCI) This exam continues to build

on the fundamentals learned in the CCNA course It focuses on large multiprotocol works and how to manage them with access lists, queuing, tunneling, route distribution, route maps, BGP, EIGRP, OSPF, and route summarization

internet-Exam 643-811: Building Cisco Multilayer Switched Networks (BCMSN) This exam tests your knowledge of the Cisco Catalyst switches

Exam 643-821: Building Cisco Remote Access Networks (BCRAN) This exam determines if you really understand how to install, configure, monitor, and troubleshoot Cisco ISDN and dial-up access products You must understand PPP, ISDN, Frame Relay, and authentication

Exam 643-831: Cisco Internetwork Troubleshooting Support (CIT) This exam tests you extensively on the Cisco troubleshooting skills needed for Ethernet and Token Ring LANs, IP, IPX, and AppleTalk networks, as well as ISDN, PPP, and Frame Relay networks

xxvi Introduction

www.routersim.com has a complete Cisco router simulator for all CCNP exams.

And if you hate tests, you can take fewer of them by signing up for the CCNA exam and the CIT exam and then taking just one more long exam called the Foundations exam (640-841)

Doing this also gives you your CCNP, but beware—it’s a really long test that fuses all the material

from the BSCI, BCMSN, and BCRAN exams into one exam Good luck! However, by taking this

exam, you get three tests for the price of two, which saves you 100 smackers (if you pass)

Remember that test objectives and tests can change at any time without notice Always check the Cisco website for the most up-to-date information ( www.cisco.com ).

Cisco Certified Internetwork Expert (CCIE)

Cool! You’ve become a CCNP, and now your sights are fixed on getting your Cisco Certified

Internetwork Expert (CCIE) What do you do next? Cisco recommends a minimum of two years

of on-the-job experience before taking the CCIE lab After jumping those hurdles, you then have

to pass the written CCIE Exam Qualification before taking the actual lab

There are actually four CCIE certifications, and you must pass a written exam for each one

of them before attempting the hands-on lab:

CCIE Communications and Services (Exams 350-020, 350-021, 350-022, 350-023) The

CCIE Communications and Services written exams cover IP and IP routing, optical, DSL, dial,

cable, wireless, WAN switching, content networking, and voice

CCIE Routing and Switching (Exam 350-001) The CCIE Routing and Switching exam

cov-ers IP and IP routing, non-IP desktop protocols such as IPX, and bridge- and switch-related

technologies

CCIE Security (Exam 350-018) The CCIE Security exam covers IP and IP routing as well as

specific security components

CCIE Voice (Exam 351-030) The CCIE Voice exam covers those technologies and

applica-tions that make up a Cisco Enterprise VoIP solution

How Do You Become a CCIE?

To become a CCIE, Cisco recommends you do the following:

1. Attend the GlobalNet Training CCIE hands-on lab program described at www

.globalnettraining.com

4231Intro.fm Page xxvi Tuesday, May 6, 2003 9:18 AM

Introduction xxvii

2. Pass the Drake/Prometric exam (This costs $300 per exam, so hopefully, you’ll pass it the first

time.) See the upcoming “Where Do You Take the Exams?” section for more information

3. Pass the one-day, hands-on lab at Cisco This costs $1,250 (yikes!) per lab, and many people

fail it two or more times Some people never make it through—it’s very difficult Cisco has

both added and deleted sites lately for the CCIE lab, so it’s best to check the Cisco website for

the most current information Take into consideration that you might just need to add travel

costs to that $1,250!

Cisco Network Design Certifications

In addition to the network support certifications, Cisco has created another certification track

for network designers The two certifications within this track are the Cisco Certified Design

Associate and Cisco Certified Design Professional certifications If you’re reaching for the CCIE

stars, we highly recommend the CCNP and CCDP certifications before attempting the lab (or

attempting to advance your career)

This certification will give you the knowledge you need to design routed LAN, routed WAN,

and switched LAN and ATM LANE networks

Cisco Certified Design Associate (CCDA)

To become a CCDA, you must pass the Designing for Cisco Internetwork Solutions exam

(640-861 DESGN) To pass this test, you must understand how to do the following:

Identify customer business needs and their internetworking requirements

Assess the existing customer network and identify the potential issues

Design the network solution that suits the customer needs

Explain the network design to customer and network engineers

Plan the implementation of the network design

Verify the implementation of the network design

The CCDA: Cisco Certified Design Associate Study Guide, 2nd ed (Sybex, 2003)

is the most cost-effective way to study for and pass your CCDA exam.

Cisco Certified Design Professional (CCDP)

If you’re already a CCNP and want to get your CCDP, you can simply take the 640-025 CID

test But if you’re not yet a CCNP, you must take the CCDA, CCNA, BSCI, Switching, Remote

Access, and CID exams

CCDP certification skills include the following:

xxviii Introduction

CCDPs must also demonstrate proficiency in the following:

Network-layer addressing in a hierarchical environment

Traffic management with access lists

Hierarchical network design

VLAN use and propagation

Performance considerations: required hardware and software; switching engines; memory, cost, and minimization

Where Do You Take the Exams?

You may take the exams at any of the more than 800 Thomson Prometric Authorized Testing Centers around the world (www.2test.com), or call 800-204-EXAM (3926) You can also reg-ister and take the exams at a VUE authorized center as well (www.vue.com), or call 877-404-EXAM (3926)

To register for a Cisco certification exam:

1. Determine the number of the exam you want to take (The SECUR exam number is 642-501.)

2. Register with the nearest Thomson Prometric Registration Center or VUE testing center You’ll be asked to pay in advance for the exam At the time of this writing, the exams are

$125 each and must be taken within one year of payment You can schedule exams up to six weeks in advance, or as late as the same day you want to take it If you fail a Cisco exam, you must wait 72 hours before you get another shot at retaking the exam If something comes up and you need to cancel or reschedule your exam appointment, contact Thomson Prometric or VUE at least 24 hours in advance

3. When you schedule the exam, you’ll get instructions regarding all appointment and lation procedures, the ID requirements, and information about the testing-center location

cancel-Tips for Taking Your SECUR Exam

The SECUR exam contains about 70 questions to be completed in about 90 minutes This can change per exam You’ve got to score right around 82% to pass, but again, each exam can be

a tad different, so aim higher

Many questions on the exam have answer choices that at first glance look a lot alike—especially the syntax questions (I’ll discuss those in a moment)! Remember to read through the choices super carefully because close doesn’t cut it If you get commands in the wrong order or forget one measly character, you’ll get the question wrong So, to practice, do the hands-on exercises in this book over and over again until they feel natural to you

Also, never forget that the right answer is the Cisco answer In many cases, more than one

appropriate answer is presented, but the correct answer is the one that Cisco recommends.

Here are some general tips for exam success:

Arrive early at the exam center so you can relax and review your study materials

Read the questions carefully Don’t jump to conclusions Make sure you’re clear about exactly what each question asks.

When answering multiple-choice questions that you’re not sure about, use the process of elimination to discard the obviously incorrect answers first Doing this greatly improves your odds if you need to make an educated guess

You can no longer move forward and backward through the Cisco exams, so double-check your answer before pressing Next, because you can’t change your mind

After you complete an exam, you’ll get immediate, online notification of your pass or fail status—a printed Examination Score Report that indicates your pass or fail status, and your exam results by section The test administrator will give you that report Test scores are auto-matically forwarded to Cisco within five working days after you take the test, so you don’t need to send in your score If you pass the exam, you’ll usually receive confirmation from Cisco within two to four weeks

How to Contact the Authors

You can reach Todd Lammle through Globalnet Training Solutions, Inc (www.globalnettraining.com), his training company in Dallas, or at RouterSim, LLC (www.routersim.com), his software company in Denver

You can also contact Todd Lammle and Carl Timm by going to www.globalnettraining.com/forum You can find information about Cisco certifications and also ask questions relating to their

Watch that Syntax!

Unlike Microsoft or Novell tests, the SECUR exam has answer choices that are syntactically

similar Although some syntax is dead wrong, it is usually just subtly wrong Some other

choices may be syntactically correct, but they’re shown in the wrong order Cisco does split hairs, and they’re not at all averse to giving you classic trick questions Here’s an example:

True or False: access-list 101 deny ip any any eq 23 denies Telnet access to all systems This statement looks correct because most people refer to the port number (23) and think, “Yes, that’s the port used for Telnet.” The catch is that you can’t filter IP on port numbers (only TCP and UDP).

Assessment Test

1. Which of the following commands trace AAA packets and monitor their activities? (Choose all that apply.)

A. debug aaa authentication

B. debug aaa authorization

C. debug aaa all

D. debug aaa accounting

2. What is the last header you can read in clear text when a packet has been encrypted using IPSec?

B. No written security policy

C. Unsecured user accounts

D. No monitoring of the security

4. Which IOS feature best prevents DoS SYN flood attacks?

6. Which of the following commands do you use to change the maximum number of half-open TCP connections per minute to 100?

A. ip inspect tcp synwait-time 100

B. ip inspect tcp idle-time 100

C. ip inspect max-incomplete high 100

D. ip inspect one-minute high 100

E. ip inspect tcp max-incomplete host 100

7. IP spoofing, man-in-the-middle, and session replaying are examples of what type of security weakness?

A. Configuration weakness

B. TCP/IP weakness

C. Policy weakness

D. User password weakness

8. Alert is the _ for attack signatures in the IOS Firewall IDS

xxxii Assessment Test

11. What are RSA-encrypted nonces?

A. Manually generated/exchanged public keys

B. Automatically generated/exchanged public keys

C. Manually generated/exchanged private keys

D. Automatically generated/exchanged private keys

12. What function does the clear crypto isakmp * command perform?

A. It resets all LDPM SAs configured on a device

B. It resets all IKE RSAs configured on a device

C. It resets all IKE SAs configured on a device

D. It resets the crypto settings for a configured peer

13. Which component of AAA provides for the login, password, messaging, and encryption of users?

C. ip inspect max-incomplete high 600

D. ip inspect one-minute high 600

E. ip inspect tcp max-incomplete host 600

15. Which of the following are examples of policy weaknesses? (Choose all that apply.)

A. Absence of a proxy server

B. No trusted networks

C. Misconfigured network equipment

D. No disaster recovery plan

E. Technical support personnel continually changing

16. The ESP protocol provides which service not provided by the AH protocol?

D. Database Replication utility

E. Database Import utility

18. What does the command aaa new-model do?

A. It creates a new AAA server on the NAS

B. It deletes the router’s configuration and works the same as erase startup-config

C. It disables AAA services on the router

D. It enables AAA services on the router

19. A connection that has failed to reach an established state is known as _?

xxxiv Assessment Test

21. Which of the following are examples of a TCP/IP weakness? (Choose all that apply.)

22. You have just configured IPSec encryption Which problem are you trying to solve?

A. Denial-of-service (DoS) attacks

A. Define Port-to-Application Mapping (PAM)

B. Set audit trails and alerts

C. Test and verify CBAC

D. Set global timeouts and thresholds

E. Apply inspection rules and ACLs to interfaces

F. Define inspection rules

26. What port does ISAKMP use for communications?

A. It has no known effect on the router

B. It sets the total number of TCP connections per host to 1000

C. It sets the total number of TCP connections per host to 100

D. It changes the maximum number of half-open TCP connections per host to 1000

E. It changes the maximum number of half-open TCP connections per host to 100

xxxvi Assessment Test

31. What key does Diffie-Hellman (DH) create during IKE phase 1?

A. Xa

B. Bx

C. Xor

D. NorX

32. Which of the following authentication methods is not supported by CiscoSecure ACS 3.0 for

Windows NT/2000? (Choose all that apply.)

33. The ip inspect max-incomplete high 1000 command changes what setting?

A. It changes the maximum number of half-open TCP connections to 100

B. It changes the minimum number of half-open TCP connections to 1000

C. It changes the maximum number of half-open TCP connections to 1000

D. It changes the IP inspect idle timer to 1000 seconds

E. It changes the IP inspect idle timer to 100 seconds

34. Which of the following statements about CS ACS 3.0 token-card server support are true? (Choose all that apply.)

A. Microsoft is supported with service pack 6.0a

B. AXENT is natively supported

C. CryptoCard is natively supported

D. Novell NDS v4.x or higher is supported.

E. ODBC with 6.0.1.1a service pack is supported

35. IOS version 12.2(8)T is the minimum version required in order to run _

A. LPDM

B. Windows NT Terminal Services

C. IOS Easy VPN Server

D. sRAS (Secure RAS) or sDNS (Secure Domain Name Service)

36. Memory usage and _ are two issues to consider when implementing the IOS wall IDS.

Fire-A. User knowledge

B. Signature coverage

C. User address space

D. TACACS+ server type

37. What does the aaa authentication login default tacacs+ none command instruct the router to do? (Choose all that apply.)

A. No authentication is required to log in

B. TACACS+ is the default login method for all authentication

C. If the TACACS+ process is unavailable, no access is permitted

D. RADIUS is the default login method for all authentication

E. If the TACACS+ process is unavailable, no login is required

F. If the RADIUS process is unavailable, no login is required

38. _ and _ are both supported by Cisco Easy VPN Server

01:41:50: AAA/AUTHEN: free_user (0x81420624) user='todd' ruser=''

port='tty0' rem_addr='async/' authen_type=ASCII service=LOGIN

priv=101:42:12:

AAA/AUTHEN/CONT (864264997): Method=LOCAL

xxxviii Assessment Test

A. This debug output shows that the user is using a remote database for authenticating the user todd

B. This is a debug output from the authorization component of AAA

C. This is a debug output from the authentication component of AAA

D. The password will be checked against the local line password

Answers to Assessment Test

1. A, B, D The debug commands debug aaa authentication, debug aaa authorization, and debug aaa accounting can be used to help you trace AAA packets and monitor the AAA activities on the NAS See Chapter 2 for more information

2. C IPSec encrypts all headers (including the data payload) after the Network layer header See Chapter 7 for more information

3. C Unsecured user accounts are considered a weakness in configuration See Chapter 1 for more information

4. B TCP Intercept can protect against DoS SYN flood attacks See Chapter 4 for more information

5. A Pre-shared keys and RSA digital signatures are supported authentication types DSS is not supported DES and 3DES are encryption algorithms, not authentication types See Chapter 9 for more information

6. D The ip inspect one-minute high 100 command sets the maximum number of half-open TCP connections per minute to 100 See Chapter 5 for more information

7. B TCP/IP has some inherent weaknesses IP spoofing, man-in-the-middle attacks, and sion replaying are some examples of attacks that take advantage of TCP/IP weaknesses See Chapter 1 for more information

ses-8. A The default action for attack signatures is to alert See Chapter 6 for more information

9. C Token cards/soft tokens are the most secure method of user authentication See Chapter 2 for more information

10. A, B, D Policy, technology, and configuration weaknesses are the three typical weaknesses in any network implementation See Chapter 1 for more information

11. A The first step in using RSA-encrypted nonces requires the user to manually generate the keys The user must then manually enter the public key created on each device into the device they wish to peer with See Chapter 7 for more information

12. C To reset all active IKE SAs on a device, use the * keyword with the clear crypto isakmp

command If you just want to reset a particular IKE SA, use the clear crypto isakmp

conn-id command See Chapter 8 for more information

13. C Authentication identifies a user, including login, password, messaging, and encryption See Chapter 2 for more information

14. B The ip inspect tcp idle-time 600 command sets the idle time on TCP connections to

10 minutes (600 seconds) See Chapter 5 for more information

xl Answers to Assessment Test

16. A ESP provides for data confidentiality (encryption) AH does not provide encryption See Chapter 7 for more information

17. A, D, E You can populate the CiscoSecure User Database in only three ways: manually, using the Database Replication utility, or using the Database Import utility CSNT can authenticate to external user databases such as Novell NDS or Windows NT, but it does not import these data-bases See Chapter 3 for more information

18. D To start AAA on an NAS, use the global configuration command aaa model The model keyword reflects changes from the initial implementation, which is no longer supported See Chapter 2 for more information

new-19. C CBAC defines a half-open connection as any connection that fails to reach an established state See Chapter 5 for more information

20. C, E CSNT supports TACACS+ and RADIUS communication with the NAS See Chapter 3 for more information

21. C, E, F There are many problems with the IP stack, especially in Microsoft products Session replaying is a weakness that is found in TCP Both SNMP and SMTP are identified by Cisco as inherently insecure protocols in the TCP/IP stack See Chapter 1 for more information

22. D IPSec and encryption are used to prevent eavesdropping See Chapter 4 for more information

23. B MD5 authentication can be used to secure against rerouting attacks See Chapter 4 for more information

24. D The CSNT web server listens on TCP port 2002 See Chapter 3 for more information

25. B, D, A, F, E, C The six steps of CBACs configuring are as follows: set audit trails and alerts, set global timeouts and thresholds, define Port-to-Application Mapping, define inspection rules, apply inspection rules and ACLs to interfaces, and finally, test and verify CBAC See Chapter 5 for more information

26. D ISAKMP uses UDP port 500 for communications See Chapter 7 for more information

27. B Policy, technology, and configuration weaknesses are the three typical weaknesses in any network implementation See Chapter 1 for more information

28. B The TCP Intercept feature implements software to protect TCP servers from TCP SYN flood attacks, which are a type of denial-of-service attack See Chapter 4 for more information

29. C, E The Cisco IOS Cryptosystem consists of DES, MD5, DSS, and DH See Chapter 7 for more information

30. E The ip inspect tcp max-incomplete host 100 command sets the maximum number

of half-open TCP connections to a single host to 100 See Chapter 5 for more information

31. A During IKE phase 1, DH is used to create the private keys, Xa and Xb, and the public keys,

Ya and Yb DH then uses these keys to create the shared secret key ZZ, which is used to encrypt the DES and MD5 keys So, answer A is correct See Chapter 7 for more information

32. B, C, D The authentication methods supported by CiscoSecure 3.0 include Windows NT/

2000, Novell Directory Services (NDS), Directory Services (DS), Token Server, ACS Databases, Microsoft Commercial Internet System Lightweight Directory Access Protocol (MCIS LDAP), and Open Database Connectivity (ODBC) See Chapter 3 for more information

33. C The ip inspect max-incomplete high 1000 command sets the maximum number (regardless of the destination host) of half-open TCP connections to a single host to 1000 See Chapter 5 for more information

34. B, C CS ACS supports token-card servers from CryptoCard, ActivCard, Vasco, RSA ACE/Server, Secure Computing SafeWord, and AXENT Defender See Chapter 3 for more information

35. C You must have at least 12.2(8)T to run the IOS Easy VPN Server See Chapter 9 for more information

36. B Both memory usage and signature coverage are issues to consider when planning an IOS Firewall IDS implementation Performance impact is a third issue to consider See Chapter 6 for more information

37. B, E This command specifies to use the default list against the TACACS+ server and that TACACS+ is the default login method for all authentications The none keyword at the end means that if the TACACS+ process is unavailable, no login is required See Chapter 3 for more information

38. C, F DH groups 2 and 5 are supported by Cisco Easy VPN Server DSS, DH1, PFS, and manual keys are not supported See Chapter 9 for more information

39. A Atomic signatures trigger on a single packet See Chapter 6 for more information

40. C, D The text after AAA/AUTHEN means that this is from the authentication component of AAA Method=LOCAL means that the local line will be used for authentication See Chapter 2 for more information

1

Introduction to Network Security

THE FOLLOWING SECUR EXAM TOPICS ARE COVERED IN THIS CHAPTER:

Introduction to network security

Creating a security policy

Reasons for creating a security policy

Security issues

Security threats

4231c01.fm Page 1 Monday, May 5, 2003 12:46 PM

In a perfect world, network security would be as simple as merely installing some cool hardware or software onto your network and voila! Your network is now Fort Knox In the real world, you do this and then brace yourself so you don’t make too much of a scene when the inevitable corporate security breach occurs Frustrated, you say to yourself, “I really thought I had taken the necessary precautions—I’ve done everything I could have!” This chapter will help you understand that there’s more to network security than technology Real network security requires understanding the inherent people and corporate policy issues as well.

News and stories about Internet identity theft, hackers jacking sensitive corporate mation, or some new virus vaporizing hard drives left and right are definitely the hot topics

infor-du jour Countless shadowy Internet users are spreading havoc from their computers, and it’s really difficult—sometimes impossible—to track them down So how do you protect yourself? Well, to begin addressing this problem, let’s take a look at what Cisco says are the three main security issues that face a corporate network today:

 Security is not just a technology problem Administrators and users are the cause of many

of the security problems that corporations face today

 Vast quantities of security technologies exist Too many network administrators buy nology from a random advertisement they happen to read in a networking magazine But simply throwing money at your security problems isn’t usually the best solution Predict-ably, many vendors would absolutely love it if they could succeed in making you believe otherwise!

tech- Many organizations lack a single, well-defined network-wide security policy Some tions don’t even have a security policy—no lie! Or worse, even if they do, each department has created their own security policy independently of the others This is highly ineffective because it creates a myriad of security holes, leaving the network wide open to attacks in a number of places

corpora-Anyone reading this book should be concerned with network security and interested in how

a network can become truly secure using proper network policy An effective network security policy involves a strategic combination of both hardware implementation and the proper cor-porate handling of information This chapter will discuss the reasons for creating a corporate security policy Understanding them will provide you with a solid grasp of the Cisco SECUR exam objectives

Let’s move on to discuss the specific types of threats your network may be vulnerable to

Types of Network Security Threats 3

Types of Network Security Threats

Sadly, human nature does have a nasty side And unfortunately, its lust for power, money, and revenge is sometimes aimed straight at your data Though most of us aren’t twisted, depraved, and ethically challenged, it’s our fellow humans who can and often do present serious threats

to our network data You simply must realize that you need to protect it And you can—but before you actually begin to secure your data, you must understand the different types of threats looming out there, just waiting for the opportunity to strike There are four primary threats to network security that define the type of attacker you could be dealing with some day:

Unstructured threats Unstructured threats typically originate from curious people who have downloaded information from the Internet and want to feel the sense of power this provides them Sure, some of these folks—commonly referred to as Script Kiddies—can be pretty nasty, but most

of them are just doing it for the rush and for bragging rights They’re untalented, inexperienced hackers, and they’re really just motivated by the thrill of seeing what they can do

Structured threats Hackers who create structured threats are much more sophisticated than Script Kiddies They are technically competent and calculating in their work, they usually understand network system design, and they are well versed in how to exploit routing and network vulnerabilities They can and often do create hacking scripts that allow them to pen-etrate deep into a network’s systems at will They tend to be repeat offenders Both structured and unstructured threats typically come from the Internet

External threats External threats typically come from people on the Internet or from someone who has found a hole in your network from the outside These serious threats have become ubiquitous in the last six to seven years, during which time most companies began to show their presence on the Internet External threats generally make their insidious way into your network via the Internet or via a dial-up server, where they try to gain access to your computer systems

or network

Internal threats Internal threats come from users on your network, typically employees These are probably the scariest of all threats because they’re extremely tough to both catch and stop And because these hackers are authorized to be on the network, they can do some serious dam-age in less time because they’re already in and they know their way around

Plus, the profile of an internal threat is that of the disgruntled, angry, and vengeful former or current employee, or even a contractor who wants nothing more than to cause some real pain and suffering! Although most users know this type of activity is illegal, some users also know it’s fairly easy to cause a lot of damage—fast—and that they have a shake at getting away with

it That can be a huge, irresistible temptation to those with the right modus operandi or the wrong temperament!

4231c01.fm Page 3 Monday, May 5, 2003 12:46 PM

4 Chapter 1  Introduction to Network Security

Types of Security Weaknesses

This is probably the most important section in this chapter because it defines what security weaknesses are and how to understand inherent weaknesses in hardware, software, and people Generally, there are three types of security weaknesses in any network implementation:

Technology weakness refers to the inadequacies of electronic systems, whether it is hardware

or software Technology weaknesses create a challenge for IT people because most hardware and software used in a company were already installed when they started their job

Let’s break down this category into three specific areas

TCP/IP Weaknesses

TCP/IP has intrinsic security weaknesses because it was designed as an open standard to itate network communication The fact that TCP/IP is an open standard is the main reason for its vast popularity, but the open standard nature of TCP/IP is also a reason why network attacks happen so easily and often—many people are familiar with how TCP/IP works

facil-For example, the original Unix sendmail daemon allows access to the Unix root, which, in turn, allows access to the entire Unix system! By simply viewing the sendmail information, a hacker can lock, load, and launch attacks on vulnerabilities specific to the operating system ver-sion Special torture!

Yes, TCP/IP has operating system weaknesses that truly need to be addressed, but what’s worse

is that TCP/IP has also created network equipment weaknesses such as password protection, lack

of required authentication, its routing protocols (which advertise your entire network), and wall holes

fire-The two protocols that Cisco likes to pick on in the TCP/IP stack as inherently insecure are Simple Mail Transfer Protocol (SMTP) and Simple Network Management Protocol (SNMP) IP spoofing (masquerade attack), man-in-the-middle, and session replaying are specific examples

of TCP/IP weaknesses

Operating System Weaknesses

Types of Security Weaknesses 5

that must be dealt with if you’re running them on your network It all comes down to a specific network’s needs

Network Equipment Weaknesses

All network equipment, such as servers, routers, switches, and so on, has some inherent security weakness But being armed with a well-defined policy for the configuration and installation of net-work equipment can help tremendously in reducing the effects of network equipment weaknesses

It is recommended that the following policies be in place before any piece of network ment is configured and installed: passwords, authentication, routing protocols, and firewalls

equip-Configuration Weaknesses

Here’s where human error comes into the fray—it’s the administrator who creates configuration weaknesses You’d be surprised how often a network administrator either leaves equipment at a default setting or fails to secure the network administrator accounts Some common “come hither and hack me” scenarios exposing your everyday corporate network include configuration flaws such as unsecured user accounts, system accounts with easily guessed passwords, misconfigured Internet services, unsecured default settings in products, and misconfigured network equipment

Unsecured User Accounts

Using default administrator accounts with no passwords and “God-like” control over the work is definitely asking for trouble Just don’t do that! If you’re running Microsoft Windows NT, make sure you rename the administrator account Doing this ensures that any intruders will at least have a slightly harder time finding and breaking into your operating system

net-Put some serious thought into which users are granted which rights and privileges, because

if you don’t and you instead give rights away indiscriminately, chaos will ensue Take the time

to establish the rights each user really needs, and don’t give them any more rights than what they really need to do their job!

Did you know that usernames and passwords are generally transmitted insecurely across the network? Ever hear of the Reconnaissance intruder? You know, the guy or gal who likes to think they are in the “Internet Special Forces” and their job is to find your network weakness and exploit it? Funny how these people always think they are performing a public service when they steal your data and that you were just so lucky that it was only them who broke in and not some really bad person They actually believe that they have helped you because now you will fix “the weakness” before a “bad guy” really breaks in Right Anyway, these clear passwords are the kind of cool stuff that these snoopers spy for so they can use the information to gain access to your network later As an administrator, make sure to define password policies that will help you secure your network

System Accounts with Easily Guessed Passwords

Another way to invite trouble is to assign system account passwords that are easy to guess To avoid this blunder, the administrator needs to set up policies on your servers that won’t allow certain kinds of passwords and that make sure each password has an expiration date

4231c01.fm Page 5 Monday, May 5, 2003 12:46 PM

6 Chapter 1  Introduction to Network Security

Explicitly define a corporate policy for all users that makes it crystal clear that they can’t use their name, their significant other’s name, their child’s name, their birth date, or any other excruciatingly obvious passwords—even if they add something to it! It’s also a really great idea

to have them mix lowercase and uppercase letters, numbers, and special characters into their passwords This helps defend your network against brute-force attacks that use dictionary files

to guess passwords

Misconfigured Internet Services

I know it’s hard to believe, but some companies really do still use actual routable IP addresses on their network to address their hosts and servers With the Network Address Translation (NAT) and Port Address Translation (PAT) services that are available now, there is absolutely no reason

to use real IP addresses

But you can use private IP addresses These allow corporations—and even single homes—to use an IP address range that’s blocked on the Internet This provides some security for corpor-ations, whose real IP addresses on the border router allow routing from the Internet

This isn’t a magical cure though Ports need to be open on the router connecting the router interface to the Internet in order to allow users access to and from the Internet This is the very hole in a firewall that attackers can and do exploit

Don’t get me wrong By putting up a firewall—the Cisco Secure Private Internet eXchange (PIX) Firewall is one of the best—you can provide good security for your network by using con- duits, which are basically secure connections, to open ports from the Internet to your servers

Is this bulletproof security? No, that doesn’t exist, but the PIX box is good—really good!Another potential source of trouble and exposure is that some network administrators enable Java and JavaScript in their web browsers Doing this makes it possible for hackers to attack you with hostile Java applets

Unsecured Default Settings in Products

Tangling things further is the fact that many hardware products ship with either no password

at all or they make the password available so that the administrator can easily configure the device On one hand, this really does make life easier—some devices are meant to be plug-and-play For example, Cisco switches are plug-and-play because they want you to be able to just replace your hubs and instantly make your network better And it really works, too! But you definitely need to put a password on that switch or an attacker could easily break in

Cisco actually gave this some thought and is a step ahead in solving this problem Cisco routers and switches won’t allow Telnet sessions into them without some type of login configuration on the device But this cool feature does nothing to guard against other types of break-in attempts, such as what the “Internet Special Forces” are trying to “protect” you from

This is one reason why it’s such a good idea to establish a configuration security policy on each device before any new equipment is installed on your network

Types of Security Weaknesses 7

Hardware and the protocols that run on it can also create security holes in your network If you don’t have a policy that describes the hardware and the protocols that run on each piece of equip-ment, hackers could be breaking in without your ever being aware that you’ve been attacked until it’s too late

Here’s a huge problem: If you use SNMP default settings, tons of information about your network can be deciphered simply and quickly So make sure you either disable SNMP or change the default SNMP community strings These strings are basically passwords for gath-ering SNMP data

Policy Weaknesses

You know by now that your corporate network security policy describes how and where security will be implemented within your network And you understand that your policy should include information on how those configuration policies will be or have been initiated—right?

Let’s take a moment to really clarify solid security policy by identifying the characteristics that contaminate bad policies

Absence of a Written Security Policy

If a network administrator—or anyone else around—doesn’t understand what’s expected of them from the start, they’ll just make things up as they go along This is a very bad idea, and it’s a good way to create the kind of chaos that will leave your network wide open to bad guys Start your written security policy by first describing users, passwords, and Internet access Then describe your network’s hardware configuration, including all devices—PCs, servers, routers, and switches—and the security that’s required to protect them

Organization Politics

You thought I was kidding, huh? No way Office politics absolutely play a leading role in each and every part of the corporate security policy Understanding the power plays that occur con-tinuously within the annals of upper management (they are happening—just pay attention for about five minutes to get the dynamics right) is very important indeed What does each member

of the upper management team envision and expect for the corporation’s security? Does one manager have one goal and another manager have a different goal? The answer is always yes You’ll need to find a common ground if you want to get anything done

Lack of Business Continuity

Here’s another really hard-to-believe fact: Just about every corporate network is pretty much slapped together with the thought of “doing it right later.” And now you are stuck with the mess Unless you find yourself in the enviable position of being able to just move into a new building and design the network from the ground up, you’ll be hard-pressed to create a single streamlined cor-porate security policy that you can implement evenly throughout the organization And even then, layoffs and constant turnovers in the IT department cause security nightmares—all passwords for the equipment, servers, and so on must be changed Sometimes corporate restructuring makes this process nasty and overwhelming, so administrators perform tasks and configure settings hastily

4231c01.fm Page 7 Monday, May 5, 2003 12:46 PM

8 Chapter 1  Introduction to Network Security

just to keep up Improper and/or incomplete change control on the network can expose some really ugly policy weaknesses

If your technical support staff is continually changing, be sure to understand that this can create a security weakness in your policies.

Lax Security Administration

Creating a fabulous corporate security policy, including monitoring and auditing your work’s security, is hard work It can be upsetting when no one cares about it “Why imple-ment this? They’ll just tell me to change it next week!” That’s probably true, but somehow you need to try to provide a solid, well-defined security policy that is also well monitored Think of this as a policy within the policy, because if no one is monitoring or auditing com-pany resources, those resources can and will certainly be wasted This has potentially cata-strophic implications because that type of lax security administration could easily end up exposing the corporation to legal action!

net-Installation and Changes That Do Not Follow the Stated Policy

Making sure that all software and hardware installations follow the stated installation policy is part of monitoring that policy And monitoring these installations is integral to the policy’s integ-rity I know this is difficult and tedious, and it seems as if I’m telling you that you don’t get to have

a life, but it’s very important—really If you have no installation or configuration policy to adhere

to, then unauthorized changes to the network’s topology or some unapproved application lation can quickly create holes in your network’s security

instal-No Disaster Recovery Plan

Disasters? Those only happen somewhere else, right? But they might happen, and they can even happen to you So for your network’s sake, earthquakes, fires, vandalism, hardware failure, vicious cord-eating rats, and even—God forbid—Internet access failure should all be things that you have a strategy for dealing with in your disaster recovery plan Your gleaming, brilliant disaster recovery plan will describe your every answer to each and every one of these woes If you don’t do this in times of tranquil peace before you experience a meltdown, you’ll experience sheer chaos, panic, and total confusion when something really does go down And certain types

of people tend to take advantage of situations like that, don’t they? ’Nuf said

Types of Network Attacks

Types of Network Attacks 9

for you to understand so you can be prepared for what an attacker may throw at you Most

net-work attacks fall into these three categories:

Reconnaissance attacks Reconnaissance attacks are unauthorized familiarization sessions that a

hacker might use to find out what can be attacked on your network An attacker on

reconnais-sance is out for discovery—mapping the network and its resources, systems, and vulnerabilities

This is often just a preliminary task The information gathered will frequently be used to attack

the network later

Access attacks Access attacks are waged against networks or systems to retrieve data, gain

access, or escalate their access privilege This can be as easy as finding network shares with no

passwords It’s not always serious—many access attacks are performed out of curiosity or for

the intellectual challenge, but beware Some access attacks are really done to nick stuff, while

other hackers perform access attacks because they want to play with your toys or use you to

camouflage their identity in order to make their dirty work look as though it came from your

network!

Denial-of-service (DoS) attacks Denial-of-service (DoS) attacks are always nasty Their sole

purpose is to disable or corrupt network services A DoS attack will usually either crash a system

or slow it down to the point where it’s rendered useless DoS attacks are usually aimed at web

serv-ers and are surprisingly easy to perform (The next section discusses DoS attacks in more detail.)

But there are many ways—most of them fairly common—to gather information about a

net-work and to compromise corporate information, even to cause the destruction of a corporate

web server and services In particular, there are the three network attacks we just discussed that

can cause the most trouble in your system

TCP/IP teams up with your operating system to provide many weak, exploitable spots (if not

outright invitations) into a corporation’s network TCP/IP and operating system weaknesses are

probably the two greatest technology-oriented weaknesses facing corporations today

Here is a list of the most common attacks on your network:

 Eavesdropping

 Denial-of-service attacks

 Unauthorized access

 WareZ

 Masquerade attack (IP spoofing)

 Session replaying or hijacking